Skip to content

Commit

Permalink
stream: reject broken ACK packets
Browse files Browse the repository at this point in the history 
Fix evasion posibility by rejecting packets with a broken ACK field.
These packets have a non-0 ACK field, but do not have a ACK flag set.

Bug #3324.

Reported-by: Nicolas Adba
(cherry picked from commit fa692df)
  • Loading branch information
@victorjulien
victorjulien committed Dec 13, 2019
1 parent ea0659d commit 1c63d39
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion src/stream-tcp.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4759,6 +4759,7 @@ int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt,
/* broken TCP http://ask.wireshark.org/questions/3183/acknowledgment-number-broken-tcp-the-acknowledge-field-is-nonzero-while-the-ack-flag-is-not-set */
if (!(p->tcph->th_flags & TH_ACK) && TCP_GET_ACK(p) != 0) {
StreamTcpSetEvent(p, STREAM_PKT_BROKEN_ACK);
goto error;
}

/* If we are on IPS mode, and got a drop action triggered from
Expand Down Expand Up @@ -6883,7 +6884,7 @@ static int StreamTcpTest10 (void)

tcph.th_win = htons(5480);
tcph.th_seq = htonl(10);
tcph.th_ack = htonl(11);
tcph.th_ack = 0;
tcph.th_flags = TH_SYN;
p->tcph = &tcph;

Expand Down

0 comments on commit 1c63d39

Please sign in to comment.